Just A Heartbleed Away: The Dirty Little Secret in IT Security is Creating A Major Risk
One of the major lessons learned from the Heartbleed Bug is just how vulnerable critical IT components, like encryption, are. The potential impact of these vulnerabilities can be severe and far-reaching. To make matters worse, a lack of management controls and visibility, especially in ubiquitously deployed software, enables cyber criminals to:
- Go after a huge attack surface at the moment they identify a vulnerability
- Continue to exploit the weakness because remediation capabilities are not in place
- Escape without a trace
Encryption is nothing new. Yet, for the masses, encryption is still something of a mystery, despite reliance on it every day to keep personal data, banking information and top secrets safe and secure. We know as technologies like encryption “age,”their respective cost decreases. As such, today’s marketplace, encryption technology is often considered a fully commoditized tool. As a result, when it comes to encryption, many companies opt for open source options when selecting a solution.
The debate as to whether commercial or open source technology is better-suited for the enterprise rages on. Much of that boils down to how the technology is deployed, resourced and managed. Most Senior IT Executives don’t have encryption on their radar, perhaps because encryption technology has been commoditized to the point that no-cost alternatives seem to be viable options.
Whether your encryption mechanisms are commercial or open source, ensuring the security of critical infrastructure is critical for any organization. Core encryption technology, largely left in the domains of IT application developers and system administrators, has been missing proper management capabilities such as access control, monitoring and proactive data loss prevention.
Lacking centralized control becomes a challenge for organizations when they need to swap out authentication credentials, understand what data has been compromised and get accurate management reporting on a breach or vulnerability response. Secure Shell, the encrypted protocol, has existed as a workhorse tool to secure data-in-transit for both interactive human users and, even more so, machine-to-machine communications.
In a recent report, Forrester showed many organizations do not have controls in place for their Secure Shell networks, despite 82% of respondents considering Secure Shell important or critical to their business. Even more concerning? Nearly two-thirds of respondents shared that Secure Shell management is fragmented and spread out amongst a number of individuals and teams throughout the organization.
If one considers the time, effort and money enterprises have spent on IAM, SIEM, DLP and IDS/IDP to gain visibility into their network environment, it is shocking to know that most organizations don’t extend these capabilities into their encrypted networks.
This is the dirty little secret in the IT Security world. And it has been going on for quite some time.
Open Doors, Backdoors and Clever Workarounds
While Heartbleed has helped to raise the level of awareness concerning the management of encrypted networks, there is still much more below the surface that needs to be addressed.
We know key-based authentication is one of the more common methods used to gain access to network assets. It is convenient for IT administrators and often a de facto requirement for application to application —or M2M —communications.
Easy to create, keys are essentially basic text files, easily uploaded to the appropriate system. An identity, either interactive (human) or automated (machine) is associated with each key. Whomever possesses the private key can access information assets and perform tasks, such as transferring a file or dropping a database, depending on what the identity is authorized to do.
While IT Security professionals worry about backdoors attackers can use to steal data, many don’t realize the number of open doors that exist in their encrypted networks. In the case of Secure Shell, the keys —those simple little text files —provide access to some of the most critical information assets in an organization.
According to Forrester, Secure Shell is used for a wide range of functions, including securing automated data transfer, remote VPN, M2M transmissions, data center automation, application developer access and in automated backup and recovery functions. With all of the employees, contractors and applications that have been assigned keys over the past fifteen years, the number of keys in enterprise environments is staggering.
A major bank with 10,000 hosts had over 1.5 million Secure Shell keys in their environment. Ten percent, or 150,000, of the keys provided a highlevel of administrator access. This is a tremendous number of open doors. Even more concerning? The fact that data moving through these channels went unmonitored.
How did this organization learn of this problem? An audit was conducted under the Monetary Authority of Guidelines. From an access control standpoint, the Monetary Authority of Guidelines is very similar to many other regulations, such as SOX, PCI and GLBA. As an enterprise operating in one of the most heavily regulated verticals in the world, the bank had strong internal controls and policies, but overlooked securing their encrypted networks.
How could this happen? The answer is simple: encryption is often perceived as a tool. Without glaring disruptions in business processes and functionality, many organizations conclude everything must be fine.
In reality, the bank’s IT organization had a considerable problem to address. The keys deployed in their environment were not monitored or under centralized management —no one knew the number of keys deployed and what they granted access to, let alone who was in possession of the keys.
There were backdoors, too. Keys assigned to developers and deployed in their development environment were being pushed to the production environment. Consequently, a large number of individuals had unregulated access to critical information assets, including credit card data and customer information.
In other instances, “convenience” factors come in to play. System administrators and application developers will often deploy keys in order to more readily gain access to systems they are working on. These keys typically grant a fairly high level of privilege, often used in multiple systems, creating a one-to-many authentication relationship.
Terminated or reassigned employees or contractors no longer requiring access to systems maintain access through their Secure Shell keys. The status quo suggests terminating an account is enough. However, when Secure Shell keys are involved, the keys need to be removed, or the backdoor remains in place.
The use of keys to subvert privileged access management system provides a third, and common, example. Many PAM systems utilize a gateway or jump host that administrators log into in order to access network assets. PAM solutions connect with user directories to assign privilege, monitor user actions and record what actions have been taken.
While this sounds like an airtight strategy to monitor administrators, it is important to consider how easy it is for an administrator to log into the gateway, deploy a key, and log in using key authentication or just use a key already on the server —a clever workaround technique that subverts the PAM safeguards —and we see it much more than you would think.
The Rise of the Machines
A lack of access control in encrypted environments is just part of the story. Conventional PAM solutions, which utilize gateways and focus on interactive users while overlooking machine-to-machine traffic, are designed only to monitor administrator activities, but, as mentioned above, end up being fairly easy to bypass.
In the age of the Internet of Things, the rapid increase in the amount of information being processed in the data center and the corresponding growth in automated applications, M2M traffic now far exceeds interactive user traffic in the number of identities, the number of log ins, and volume of traffic. Conventional PAM solutions miss a staggering 80% to 90% of network traffic. Additionally, M2M identities can easily be hijacked by a malicious insider or external attacker.
Smarter Security: The Next Generation of Privileged Access Management
A major part of the Zero Trust model is the idea that perimeters aren’t secure, so everything should be encrypted. Encryption has the effect of “killing” your data, making it unusable to cyber criminals and eliminating the value of the data to the attacker. However, for all the advantages of ubiquitous encryption, there are corresponding challenges.
Encryption blinds security operations and forensics teams from seeing if an exploit has occurred and what data was compromised. Encrypted traffic is rarely monitored or inspected. Rather, it is allowed to flow freely both into and out of the enterprise. This creates some obvious risks and, to a very late degree, negates security intelligence capabilities.
Asked how they handle encrypted traffic at the perimeter, many IT security professionals share that they “just let it flow through.” A search for the terms “SSH”and “Firewall”online reveals a large number of highly instructive articles discussing how to use Secure Shell to bypass corporate firewalls. A fairly common practice, using SSH is a clever workaround to circumvent policy.
Unfortunately, it creates a huge security risk. In order to eliminate this risk, the traffic must be decrypted and inspected.
To seamlessly decrypt Secure Shell traffic, an inline proxy with access to the private keys —essentially a friendly man-in-the-middle —would need to be used. By bringing authentication credentials, specifically keys, under management, this can be on the wire.
When such a solution is successfully deployed, 100% of your encrypted traffic, and interactive users and M2M, can be monitored and, because it is done at the network level, it is not possible to execute a workaround. Layered security solutions —IDS, SIEM, DLP —would then be enabled to inspect traffic and proactively detect suspicious or out-of-policy traffic. This activity, known as encrypted channel monitoring, represents the next generation of Privileged Access Management.
Encrypted channel monitoring enables organizations to move away from the gateway approach to PAM and finally solve the challenge of decrypting traffic at the perimeter and within zones inside the estate all while stopping attackers from using your own encryption technologies against you.
Additionally, IT professionals can enable inline access controls and user profiling to control what activities a user can undertake, such as enforcing policy controls that forbid file transfers from certain critical systems. With more advanced solutions, sub-channels running inside the encrypted tunnel (the preferred pathway of hackers looking to quickly exfiltrate data) can be blocked.
Examining this in the context of Heartbleed, encryption technologies are often deployed in the absence of proper access controls or effective monitoring while also blinding layered defenses. A major vulnerability such as Heartbleed potentially compromises the entire server which may, in turn, expose other areas of the estate along withother tools and systems to follow on attacks .
There is no way around it: it is vital for IT executives to take a look at their encrypted networks to ensure layered defenses are enabled, emergency operations such as a key rotation can be easily done and proactive monitoring is in place.
Chasing Unicorns or Unfortunate Reality?
If you aren’t yet convinced that proper management and control of encrypted networks is critical, review the below Visa security alert entitled “Remote Access Vulnerabilities Most Frequent Attack Method Used by Intruders” from April 19, 2011.
Insecure remote access continues to be the most frequent attack method used by intruders to gain access to a merchant's point of sale (POS) environment. There are a variety of remote access solutions available, ranging from command line based (SSH, Telnet) to visually driven packages (pcAnywhere, VNC, MS Remote Desktop).
The exploitation of improperly configured remote management software tools is the method of attack most frequently used by hackers against POS payment systems. Most merchants rely on third parties (POS vendors, resellers or integrators) to manage their POS systems. It is important that merchants require that these third parties follow established best practices when remotely accessing POS systems.
Once an intruder is inside a merchant's network, the intruder can install malicious software (such as key logger malware or packet sniffers) to capture full track data from the POS system and exfiltrate data to the intruder's IP address(es).
Sound eerily familiar to a high profile story? The recent breach at Target is just one of the latest in a string of breaches targeting encryption technologies. And why would a hacker not take advantage of encryption? It provides access to high value data and while cloaking the malicious activity and providing a cloaked means of exfiltration.
The Threat Landscape
Over the past year alone, several advanced threats have appeared, including Careto (aka “The Mask”). Discovered in February 2014, Careto has been recognized as one of the most sophisticated advanced persistent threats ever identified. As a particularly nasty piece of malware, Careto targets a long list of documents, encryption keys, SSH keys, VPN configurations and RDP files. The campaign was active for seven years and directed towards government agencies, embassies, diplomatic offices and energy companies.
In November 2013, Forkitor, a sophisticated malware targeting Linux operating systems, was discovered by Symantec. Capable of stealing login credentials from secure shell connections, Forkitor enabled attackers to access the encryption key that secured the affected organizations’internal communications.
Of course, not all attacks come from the outside; many are initiated by malicious insiders. In June of 2013, Edward Snowden utilized digital keys and social engineering to access a huge swath of servers and then successfully exfiltrate that data from the NSA.
The Snowden incident is a prime example as to how a privileged administrator can take advantage of a lack of access control or monitoring capabilities to execute an attack. Politics aside, individuals responsible for the security of a major enterprise would not want a similar exploit occurring under their watch.
Yet another example of a system administrator creating backdoors occurred in April 2013, when a former employee of the website hosting company HostGator used an SSH key to gain unfettered access to 2,700 servers, potentially putting thousands of their customers’ websites at risk. Fortunately, in this instance, a screen capture tool helped the company identify the responsible party before an attack was executed, and the employee was arrested and charged with multiple felonies.
Heartbleed showed the cybersecurity community that widely-used technologies critical to the very lifeblood of a modern society have lived for far too long below the surface. The lack of proper management and control of affected systems significantly delayed remediation capabilities while the vulnerability itself exposed other encryption networks with equally poor management controls and visibility.
Despite the obvious risks, basic best practices for managing encrypted networks, such as centralized provisioning (including creation, rotation and removal), are not in place for the majority of enterprises. Encrypted channels are seldom monitored for malicious activity, as many IT leaders assume their conventional Privileged Access Management strategy addresses this issue. The reality reveals otherwise.
The technology community has embraced encryption technology for nearly two decades and uses it ubiquitously in applications, data centers and beyond. The power and importance the core components of network security deliver should compel IT security managers to invest in solutions allowing these technologies to be secure, as they are an integral component of the technology ecosystem. Taking such an approach greatly distances the modern enterprise from being a Heartbleed away from a critical, widespread security disaster.